Hi Dominic,
Am 2015-07-01 14:03, schrieb Dominic Benson:
> On 01/07/15 09:55, Jonas Meurer wrote:
>>
>> Ok, got that now. The following statement splits the username on '@'
>> and looks up the password for user <LOCALPART> in password file
>> /etc/vmail/users/<DOMAIN>:
>>
>> vmail_auth_cram:
>> server_debug_print = "A: vmail-authenticator cram-md5 for $auth1"
>> driver = cram_md5
>> public_name = CRAM-MD5
>> server_secret = \
>> ${lookup{${extract{1}{@}{$auth1}}} \
>> lsearch{VMAIL_USERS_DOMAINS/${extract{2}{@}{$auth1}}} \
>> {$value} \
>> fail \
>> }
>> server_set_id = ${extract{1}{@}{$auth1}}
>>
>
> On the face of it, this looks a bit dangerous - attempting auth with a
> contrived domain (e.g. with ../ or suchlike in it) could cause the
> lsearch to happen against an unintended file - possibly one in a
> location controlled by an attacker.
>
> I think you should look up the domain part first to ensure that it is
> one that you have set up.
Indeed, good point. I refrained from trying to implement my own SMTP
authenticator in Exim though and switched to the Dovecot authenticator
in the meantime. That one just works.
Nevertheless, hanks for your help.
Cheers,
jonas
